The ‘Human Firewall’ Is Dead – Long Live the People

Recently, I read an article that suggested the ‘human firewall’ is broken and that it cannot be fixed. This observation comes from a company that provides commercial technical solutions to assist with mitigating cyber threats.

The first aspect of this comment I would like to address is the element referred to as ‘the human firewall.’ Let’s call it like it is: this element is people. Seriously, we need to stop dealing with people as commodities and treat them with the respect they deserve. After all, they are the most valuable assets in any company.

Along this same train of thought, we can strengthen existing commercial-interpersonal relationships by introducing back into our technological world some aspects of the social realm that are evident in ordinary people and employees. Let us also consider the human chain of interaction where organizations incorporate their security policies into the workforce.

These policies need to be practical and workable; they should not consist of a stick with which the commercial feudal hand beats wrongdoers over the head for every inimical act.

When it comes to proof of the pudding, it was some years ago that Martin Smith wrote a book entitled, Commonsense Computer Security. This text correctly focuses on the people side of the security equation.

But we need to go further. At the end of the day, what we are striving for is to formulate a robust interface by which employees and mechanics play their parts and work together to deliver a robust solution. (Trust me, one without the other will not work.)

We should also consider the technological offset at this juncture and recognize that a machine-driven ‘silver bullet’ simply does not exist.

Continuous patching of systems/applications and legacy environments undoubtedly leaves security holes that are open to exploitation, and while failing anti-virus solutions may be fully up-to-date, they may still allow dangerous code to enter a protected environment. Therefore, if we subscribe to the idea that via technical means we can address all cyber threats, I fear that we may be walking along a path that is doomed to fail.

Let’s put into context the value of the ‘human firewall’, or people. Take as an example an organization that has encountered around 450 high-risk communications containing malicious code.

In this case, around only two percent of employees actually opened the communications, for the remainder either reported it or deleted it per what they learned as part of an effective security education and awareness program.

On this occasion, however, as the malicious commutation was an early crimeware release, the technology was not able to detect the malware. The final security barrier, therefore, fell upon the people.

But that being said, I have some obtuse statistics which tend to demonstrate where security education has not been well-honed.

In this case, the technology again allowed the manifestation and infiltration of malicious software to be delivered to users, the majority of whom opened the communications and by doing so inadvertently caused infections, downtime and adverse effects on operations.

Based on my experience of 30 years in security, my conclusions are as follows:

Treat people as people and give them the respect they deserve. Do not treat them as any other element that plugs into the company’s security architecture.

New policies that are slated to be incorporated into the business should be created so as to be both workable and practical with regards to the world of business.

Create a security education and awareness program that brings the subject of security to life. This can be done by highlighting the added benefit of keeping end-users safe in their personal lives by learning about best security practices at the workplace.

Last but by no means least, I urge you to not be duped by misinformation that paints technology as the ‘silver bullet.’ Do not allow yourself to be misled into the belief that people can’t be trained to the advantage of an organization.

To conclude, the ‘human firewall’ is indeed dead. It has since been replaced by people. Long live the people.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.